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(57) ABSTRACT 

A certificate issuing apparatus and method creates a new 
certificate of a differing format from an existing certificate 
format to facilitate certificate conversion. A certificate con- 
verting unit receives first certificate data in a first format and 
desired certificate format criteria data, such as data repre- 
senting the format of a certificate to which the first certificate 
is to be converted. The apparatus and method then generates 
second certificate data in a second format in response to the 
desired certificate format criteria data. In one embodiment, 
this is done using certificate format template data, such as 
templates representing the format and/or syntax of a plural- 
ity of differing certificate formats. The format template data 
is then mapped so that information from one certificate can 
; be suitably mapped and then placed in a proper format and 
syntax for a different certificate format. 
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rwirnoMATinN rFRTTFICATE FORMAT Moreover, different versions of the same basic formal, 

CoS vSi yJtJ^S me™ such as X.509 version 1, version 2 and version 3 ceruficates 

CONVERILK A^rAKAi msu miLirx different information. As such, systems may 

require additional separate validation engines wherein one is 
HELD OF THE INVENTION 5 dedicated to validate each different type of version of 

certificate. This is especially true where additional informa- 
llie invention relates generally to information certificate ^.^^ ^ present such as with version 2 or version 3 
issuing apparatus and methods and more particularly to certificiates. 

information certificate format converting apparatus and one mechanism for overcoming the incompatibiUtyprob- 
methods. lO iq issue all users a plurality of different certificates in 

A r^vr oniTMn OF THF INVENTION the different formats expected to be used among differing 

BACKGROUND OF THE INVhN IlUN ^.^^ information infrastmcmres. However, such a sys- 

\Mth the increase in electronic commerce and other j^^y require an enormous amount of overhead and 

information dissemination systems, the need to protect storage capabilities, particularly when hundreds of thou- 
information has become critical. As a result, symmetric key 15 sands of users may desire to communicate in such a system, 
cryptosystems and public key based ayptosystems have Alternatively, incompatibility may be overcome by having 
found increasing usage. As known in the art, data structures consumers of the certificates be able to validate all 

such as certificates are generated by a certificate issuing unit. expected formats. Again, this may require that each sub- 
referred to as a certification authority, that is trusted by scriber have additional capabilities to provide validation of 
entities communicating information. For example, in public 20 numerous different certificate formats. This again can add 
key infrastructures, a certificate may be generated in a unnecessary overhead costs to each subscriber unit and 
format consistent with the public-key certificate fonnal f^rther unnecessarily complicate the security operation of 
defined in the specification commonly referred to as X.509 subscriber. 

and formally known as ITU-T Recommendation X.509 Consequently, a need exists for a certificate issuing appa- 
ISO/lEC 9594-8, Information Technology— Open Systems 25 ^^^^ method that facilitates compatibility among users 
Interconnection— The Directory: Authentication Frame- certificates having differing data structures and/or differ- 

work. As known, such certificates include, among other gnt syntaxes of certificate information. Such a system should 
things, the public key of an entity such as a software p^Q^i^e suitable compatibihty for any suitable certificate 
application, node in a network, stand alone processing unit, including public key certificates, non-public key certificates, 
end-user or other entity, wrapped in a digital signature 30 verification certificates, encryption certificates, or other 
format by a private key of a certification authority. In known desirable certificates, 
public key cryptographic systems, for example, digital sig- 
nature key pairs (a private key and a pubHc key) are used to brjeF DESCRIPTION OF THE DRAWINGS 
create and authenticate a digital signature of a ^^jb^^^^^^^^^^ FIG 1 is a block diagram illustrating one embodiment of 

didtal signature key pairs, encryption key pairs are also tion. .„ . , . 

Sally^sed to enc^pt and decrypt the data being sent FIG. 2 is a block diagram illustratmg one example of a 

from one subscriber to another subscriber. Certificates are certificate converting unit in accordance with one embodi- 

generated by a certification authority for the public keys of 40 ment of the invention. 

the private/public key pair to certify that the keys are piQ, 3 is a flow chart illustrating the operation of the 

authentic and valid. Public keys and certificates are used for certificate converting unit of FIG. 2 in accordance with one 

two main purposes: verifying digital signatures and encrypt- embodiment of the invention. 

ing information. In many cases, two separate key pairs are ^ ^ ^^^^^ diagram illustrating one example of a 

used to support these services. Specifically, one key pair is 45 certificate parser in accordance v^th one embodiment of the 

used to support digital signature generation and verification invention. 

and the other key pair is used to support encryption and piG 5 is a block diagram illustrating one example of a 

decryption. The receiver of a digitally signed e-mail or other .^^^^^^ formatter in accordance with one embodiment of 

documents, for example, uses the public key m the sender invention 

certificatetoverifythedigitalsignatureofthesender.Auser 50 ' illustration showing a plurality of 

wishing to send ^^^.^ J ^ J^^^^ cert ficate TempUtes and corresponding mapping informa- 

S^e^te^t^^^^^^^ tion in accordance with one embodiment of the invention, 

ley ^nd thin attaches the encrypted symmetric key to the FIG. 7 is a block diagram illustrating one ^xampk^^^^^^^ 

encrypted e-mail so that the receiver can decrypt the e-mail. 55 certificate generator m accordance with one embodiment of 

Other information security systems may aUow each sub- the invention, 
scriber to generate certificates for one another. One example DETAILED DESCRIPTION OF A PREFERRED 
of such a system is based on pretty good privacy (PGP) EMBODIMENT OF THE INVENTION 
technology as known in the art. These systems use differing . • . ^.tv,^H ^re^^Q 
cerUficate formats A problem arises when subscribers that 60 Briefly, a certificate issumg apparatus and method creates 
us^ S^^^^^ fomiats wish to communi- a new certificate of a differing format from an exiting 
c"e" f" is an incompatibUity among certifi- certificate format to faciUtate ^-tificate conv^^^^^^^^ cr- 
eate formats so that subscribers and certificate issuing units tificate converting unit receives first certificate da a in a fi^t 
a^ only capable of analyzing a certificate format native to format and desired 

their security infrastnicture. As such, a certificate vaUdalion 65 data representing the forma of a certificate to which the fi^t 

nginfcannot vaUdate a certificate when the certificate has certificate is to be converted ^7??^^^^^^/°^^^^ 

an unknown syntax. g^n^^^^^^ ^^^"'^ ^^""'^^^'^ ^^^^ ^" ' ^^"^"^ 
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response lo the desired certificate format criteria data. In one FIG. 2 shows one example of the ceruficate converung 

mbXem, this ^ done using certificate format template unit 24 having a certificate data parser 2«0. a (xr^dica^ 

data such a^ templates representing the format and/or syn- formatter 202, a certificate generator 204, a certificate a>D. 

tax of r^^^^^^ ^^^i^g '"^T^'l 206, an optional mcoming cenific e 
emSate^data is^hen mapped so that information from one 5 validator 208 and an error g^^^^^^^V^lO^ m ^ 

certfficate can be suitably mapped and then placed in a converting unit receives mcommg certificate data 20 m the 

proper format and syntax for a different certificate formal. first format and generates a new ce^^^^^^^^^^^^ 

The certificate converting unit may be a part of a subscriber different formal and/or data syntax. As illustrated the cer- 

unit a certification authority, a separate third party unit or tificate data parser 200 receives the incommg certificate data 

any other suitable unit if desired. 18 as well as certificate format template data 212. The 

In one embodiment, a certificate converting unit utUizes a certificate data parser 200 then outputs parsed certificate 

certificate data parser that generates parsed certificate data data 214 for the certificate formatter 202. The certificate 

from the first certificate data for a certificate formatter. The format template data 212 includes, for example, templates 

certificate formatter takes the parsed data and through use of representing all of the different types of certificates for 

mapping information, converts the data to a second certifi- ^hich the certificate converting unit will convert from and 

cate format based on the mapping information. A memory (5^^^ ^ pjc. 6.) As used herein, template data may be 

unit contains a certificate format template data and certifi- ^^^^ ^ suitable format or structure that suitably defines 

cate data mapping information lo facilitate the conversion. A ^^^^ ^^^^ certificates as well as the syntax definition of 

certificate generator selects a suitable signature format and information lo be placed in the fields as weU as signature 

then applies a suitable digital signature to effectively convert ^^^^^^ ^^^^ indicative of a format in which the certificate 
a first certificate in a first format to a different certificate in 20 ^^^^^^^^ 204 digitally signs converted certificate data as 

a different format. If desired, the apparatus and method may ^^^^^^ described below with respect to FIG. 6. 

use an incoming certificate vahdator to fi^tvahdate^ 208 is used, the 

the incomine certificate to be converted is vahd prior to »^ ui^uuuug ^^^""'^ . , • , i j t^^^^n 

Lnd "gotog cerdficate conversion. In addition, a certificate " ''^'^'^ ^^.l^ndoS^^^^^ 
converting unit controller receives certificate conversion 25 revocation status checked pursuant to conventional methods 

rule data! such as data indicating the rules governing depending upon the type of certificate. If 'he signature 

whether conversion may take place. The controller may suitably validates, the incoming certificate validator 208 

generate enable signals to the parser and certificate generator provides a validation enable signal 209 to the certificate data 

to suitably enable and disable them, it desired. parser 200 indicating that the data parser may complete the 
HG 1 shows an example of an information security 30 parsing operation. The certificate converting unit controller 

svstem 10 that has at least two different certificate-based 206 generates suitable control signals 216 to the certificate 

security information infrastructures generally shown as 12fl data parser 200, the certificate generator 204 and the incom- 

and 12ft. Information security system 12a may be, for ing certificate validator 208. For example the control data 

example a PGP based system wherein the subscribers or 216 may use policy rule data to enable each of the respM:tive 
cUents are capable of generating certificates for one another. 35 operations or disable the operations based on certificate 

niese certifi^tes are in a first format shown as CERT, 20. converting policy data 220. Certificate ^"verUng p.^^^^^^ 

Security information system 12f> may be, for example, a data 220 may mclude. for example, a list of certificate types 

public key-based security information system that utilizes that are allowed to be converted, n addition, the cert^cate 

certification authorities 14 to generate certificates for sub- data parser 200 and the certifica e formatter 202, the cer- 
scribersl6a-16n. The public key base certificates generated 40 tificate generator 204, the contro ler 206 and the valida or 

by certification authority 14, indicated as CERT^ 18, are in 208 may all be operatively coupled lo the errar generator 

a different format and/or have different syntaxes from CERT 210 to generate an error signal 224 due to an error detected 

A 20 in that the certificates either have different data by any of the respective operations, 

structures and/or different syntaxes in the data stnictures. The certificate converting umt 24 generates the converted 

For example, CERT B 18 may be an X.509 type certificate. 45 certificate data 26, 32 in another formal and/or syntax based 

In contrast, CERT A 20 may be a PGP based certificate. A on the certificate format template daU 212 and certificate 

certificate issuing apparatus 22 includes a certificate con- data mapping information 228. The certificate formatter 202 

verting unit 24 and memory 25. receives desired certificate format critena data 230 from a 

Hie certificate converting unit 24 receives the certificate given subscriber indicating the desired format for the output 

data in the first format, such as CERTA20, and converts the 50 certificate data 26, 32. If desked, the certificate format 

information in CERT A to converted CERT A26 in CERT B criteria data 230 may be embedded infonnation ma certifi- 

format or syntax. This allows subscriber 30, for example, to cate from any other suitable source. The certificate formatter 

provide tnisted information to one of cUents 16fl-16«. 202 converts parsed data 214 into ceruficate data in another 

Conversely, the certificate converting unit may use as the format or syntax. The different formatted syntax may 

first certificate data the first format CERTB infonnation 18 55 include a different data structure or different syntax for at 

and convert it into a new certificate 32 in CERT A format so least some of the data in the received or incommg certificate 

that the clients 16fl-16« can provide certificate for client 30. 20, 18. The converted data 232 is then communicated to the 

-me certificate converting unit 24 may be located as part certificate generator 204. The certificate generator 204 gen- 

ot any of the subscriber 1^-16« or 30a-30«, may be part erates an appropnate digital signature ^^^^''^^^^^^'f^^ 

of the certification authority 14, a stand alone unit or in any 60 signature format data communicated by the fonnatter 202. 

other suitable unit. Acertificate issuing apparatus 22 may be In operation, as shown in FIG. 3 the system obtains 

any suitably programmed data processing unit such as an incoming certificate data as shown in block 300. As shown 

IBM^ompalible PC, handheld portable unit or any other in block 302, the system may optionaUy perform certificate 

suiuble unit if desired. The memory 26 may be a protected validation on the incoming certificate, based on coiitro 
data base, suitable repository or any other suitable memory 65 signals from the CCU controller in response to received 
located in the same unit as the certificate converting unit 24 CCU policy rule data. If certificate vaUdaUon is required 

or as a peripheral memory thereto. (block 304), and it fails, an alarm is generated and process- 
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ine stoDS If ceniflcatioD validation is required and succeeds. data may be tacked onto the end of the certificate if addi- 

or is not required, the certificate is parsed, as shown in block tional data has been sent in the incoming certificate that is 

308 The parsed certificate data is analyzed (block 310) to not defined in the single template. Hence, the template 

determine the incoming certificate format type. If the type populator populates the smgle template identified by the 

cannot be determined, or is an unsupported type, an alarm is 5 certificate type data usmg data firom the first certificate, 

generated and processing stops (block 312). If the incoming Referring to HG. 5, one example of certificate formatter 

Mrtificate type is supported, processing continues. If a 202 is shown having a multi-format certificate maPI«r 500 

mapping from the incoming certificate type to the requested and an outgoing certificate template retnever 502. Tie 

outgoini format is not supported (block 314), an alann is multi-format certificate mapper 500 maps a pluraUty of first 

generated and processingTops. Otherwise, the outgoing 10 certificate data such as fields and associated syntax require- 

Lrtificate,emplateisformatted0.1ock316),digitallysigned ments to a different <^rtificate f^^^^^ °° 

to produce an outgoing converted certificate (block 318). mappmg information 504 obtained from stor^e uml 25^1n 

and sem to the sub^riber originaUy lequesling the certificate addition, the mulu-format certificate ^^er 500 also maps 

n,\t.r.v nn\ the parsed data based on the desired format of the new 

TZlo^ncl one example of the certificate data . certi^cate. THe desired forma, criteria data 230 is data that 

par^r looTndud s an in^ming certificate format detenni- represents the format of the new certificate. TTie omgomg 

P ™ lu^iuuva au & ^rt,fi^.t** ccftificate template retnever 502 obtains the desired certifi- 

nator 400 and a template populator ^.J^)'^^^''^ ca template from memory 25 and provides the output or 

format detennmalor 400 receives the certificate format tem- "ic icmpiait uum m j ,u„ „„i,: r„^., manner 

, 7 A , 11 ■> .^hinh r^„rf.c/.ntc the riata fields and associ- desired certificate template 228 to the mulli-ronnal mapper, 

p ate data whf epreset^ts l^^^^^ „ The multi-tormat certificate mapper 500 maps one certificate 

ated syntax for each differen tiae of cert.^ 20 ^^^^^^ ^^j^^^^^ 

be converted by the certificate converting unit. Tlie incom- ^^^^^^ 

ing -^-'ifi^'^f^™/' ,77'^^^^^^ SS2 Hence,'the multi-forma. certificate mapper 500 

aSciated whh one of the templates represenled by the 25 tificate formatter syntax based on the mapping mformaUon 

associateo wun one oi iDv p v : ^ ^^^.^^^ certificate format criteria data. The converted 

certificate forma template ''»'»212^As such, the p^reer 200 representing a fonnat of a digital 

detects whether ,t recogni^s signature to be generated ks part of the desired certificate, 

fields of an mcommg certificate. The contro data 216 may 5 6 .^^ information which is 

rming^L^Srrid^Tl o^^^^^^^ 

whether to pass the parsed information to the certificate Referrmg to FIGS. 2r6> certificate fomat templa^ d^^^^ 

formatter 202. As such, the certificate converting unit may 212fl-212b (as shown in FIG. 6) is different for different 

be controllable to limit the types of certificates that it is certificates For example, one certificate type may have five 

allowed to convert or, for example, be controUed to cease mapped fields each having a fie d da a element and as^oa- 

operalion at various levels, if desired, to facQitate flexibility 35 ated syntax definition data. Another template, such as ten> 

in reducing processing overhead should conversion become plate 2126 may have only two fields.having dfag field 

unnecessa^ In addition, the control signal 216 based on the data elements and different corresponding syntax definiUon 

poUcy rule data allows an administrator, for example, to data. The mapping iirformation 228 stored in memory, rnay 

provide selective control as to the various operations of the be a mappmg table that maps from template 212fl to 212fc 

LrUfirMP r-nnveriintr unit 40 and vice versa. In this example, the mapper maps the first 

' t: lZ^Tc^Zc.i. format de.erminator 400 field from template 212« to the first field oHemplate 212. 

determines fo example, whether all scanned fields match to allow the corresponding ^'J'f'', Jf^S^r.f ^"^^^^^^ 

with a stor;d template or whether only certain of the fields when mapping from format A to forma^ B Jf-.TPP'^ff 

match, in which c'ase addi.io.jal fields may be tac^d on. -^^^ ; 

the end of the newly generated certificate to How some 45 t^mm^^iza^ P ^^^^ 

data within .h^ certificate that is the ^'^^^ L^tet S^aS' in^uJe^ forml'Sa ' m 

passed to 'b^ em^a^ popuhto^^ 2h indicates the fonnat in which the certificate generator 

TeSSS ScXe d^^^^^ fyi S a ^ signs the converted data to generate the new certificate 26 

toa repre" ITfo^^ whether fhe incoming 32. As such, differen. signature .echniques may be requ.ed 

certificate 20, 18 is a^ X.509 type, PGP type, or other type. smce different keys may be used. 

^is data is g;nerated based on whether a match occurs with Since different templates may have different data and 

any of the certificate format template data 212 and the 55 syntaxes, a resultmg template may include mapped fields, 

incoming certificate fonnat. If a match occurs, the certificate unmapped fields and signature format data^ shown in the 

type that matches is represented by the certificate type data example, CERTA requires data tha CERTB does not have 

404 The template populator 402 receives the certificate type (template B has fewer fields than template A). Therefore, 

data 404 and also receives single template data 406 which is mapping tables may map default values where no corre- 

obtained based on the certificate type data. For example, the 60 spending fields are found, or may simply add fields at an end 

parser will access the specific single template corresponding of a certificate if desired. 

to the templa.e .ype indica.ed by the certificate type data 404 FIG. 7 shows an example of the certificate generator 204 

from the memory 25. The template populator then populates having a digital signahire forma, selector 700 and a plurality 

the single template to generate the parsed data 214. The of private keys 702 wherein each of the private keys may be 

single .empla.e da.a 406 may be partially populated from the 6S associated with the certificate converting uni., a cenifica.e 

partial amount of the fields that where present from the authority or any other unit that is perfoniimg the new 

original or incoming certificate data. In addition, additional certificate generation. The certificate generator 204 employs 
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. 1- r .u ' .;rrr,;nn VPVQ 702 ill tufe forfflats to facililatc ccrtificate coDversiOD betwecD 

one of the plurahty of the P"^^^^. « Tfirst certificate data and the second certificate data, 

response to a selected Signature f^"^/^, 2. The apparatus of claim 1 wherein the certificate for- 

generator 204 receives the converted data 232 whicb ^ff ^ ^^^^^j responsive to certificate mapping 

includes the certificate signature format ID data 600. The ^f^^^jj^^ 

digital signature formal selector 700 then selects the appro- 5 ^ apparatus of claim 1 wherein the certificate con- 

priate private key based on which format ID data has l^en ^.^ includes a certificate data parser operalivcly 

received. For example, where the signature format data ^^^^-^^ certificate data and opcratively respon- 

indicates that an X.509 type signature should be used, me ^.^^-^^ certificate formal template data that generates 

digital signature format selector then selects the private key certificate data for a certificate formatter, 

of the issuing unit associated with an X.509 security engme 10 f ^ apparatus of claim 3 wherein the certificate data 

or certificate generation engine. The control data 216 may includes a fii^t certificate format determinator respon- 

cnable to the digital signature format selector 700 to mdica e f.^^ certificate format template data and the first 

which private key to use and/or serve as an enable/disable -^^ ^ ^ ^^^^ generates data representing certificate 

signal to prevent the certificate 26, 32 from being generated. cenmcaie g 

The digital signature format selector 700 mcludes a plurality 15 ^ yv^ apparatus of claim 4 wherein the certificate data 

of different conventional signature generating algorithms ^^^^^^^ ^ populator, operatively responsive 

corresponding to the type of signature required for a given f^ certificate type data and to single template data 

certificate format and/or syntax. obtained based on the certificate type data using data from 

In an alternative embodiment, the disclosed system may certificate, 

be used to provide backward compatibility among sunilar ^ apparatus of claim 1 wherein the certificate for- 

format certificates having different versions. For example, ^^^^^^ includes a multi-format certificate mapper that maps 

the certificate converter may be used to generate an X.509 ^ piujaUty of first certificate data to a different certificate 

Ver.l certificate from an X.509 Ver, 3 certificate by mapping ^^^^^^ ^^^^^^ ^^^^ mapping information and the 

to a subset of the same format by suitably providmg the ^^^^^ certificate format criteria data, 

templates, field definitions and syntax defimtions. ^ apparatus of claim 6 wherein the multi-format 

The above-identified system aUows users of differing certificate mapper also provides digital signature format data 

security infrastructures to communicate information using representing a format of a digital signature to be generated 

their respective certificates even though the certificates are second certificate data, 

in different formats since the converter will convert to the g apparatus of claim 6 wherein the mapping infor- 

appropriate format. The certificate converting unit and the ^^^^^^ ^^^^^j f^^^ certificate template data including 

components herein as described may be suitably pro- grst field data elements and associated first syntax definition 

grammed software processing devices or logic. ITie certifi- ^^^^ ^^cond certificate template data including second 

cate data parser, the certificate formatter, certificate ^^^^ ^^^^ elements and associated second syntax definition 

generator, controller, validator and error generator may all ^^^^ 

be implemented by a combination of software and hardware ^ apparatus of claim 8 wherein the first certificate 

as known in the art by programming suitable processing template data and the second certificate template data each 

units to perform the operations as herein described. include different digital signature format data. 

It should be understood that the implementation of other iq. A certificate issuing apparatus comprising: 
variations and modifications of the invention in its various ^ certificate formatter operatively responsive to desired 
aspects will be apparent to those of ordinary skill in the art, certificate foraiat criteria data and operative to convert 
and that the invention is not limited by the specific embodi- certificate data into second certificate data wherein 
ments described. It is therefore contemplated to cover by the second certificate data includes at least one of a 
present invention, any and aU modifications, variations, or different data strticture and a different syntax for at least 
equivalents that fall within the spirit and scope of the basic ^^ta in the first certificate; and 
underiying principles disclosed and claimed herein. ^ certificate generator, operatively coupled to the certifi- 
What is claimed is: cate formatter, including a digital signature format 
1. A certificate issuing apparatus comprising: selector operative to select among a plurality of signa- 
a certificate converting unit operatively coupled to receive formats to facilitate certificate conversion between 
first certificate data in a first format, and desired cer- ^^51 certificate data and the second certificate data, 
tificate formal criteria data; and u. The apparatus of claim 10 including a certificate data 
memory operatively accessible by the certificate convert- parser operatively responsive to the first certificate data and 
ing unit containing certificate fonnat template data and operatively responsive to the certificate formal template data 
certificate data mapping information, that generates parsed certificate data for a certificate format- 
wherein the certificate converting unit generates second 55 ten • 1 ^* . ^ntmiipr 
certificate data in a second format in response to at least 12. The apparatus of claim 11 including a controller 
the first certificate data, the certificate format template operatively responsive to certificate converting rule data, 
data and the certificate mapping information; that generates a certificate generator control signal and a 
a certificate formatter operatively responsive to the certificate parser control signal in response to the certificate 
desired certificate format criteria data and operative to 60 converting rule data. . ^ . . ^ fi.t.^.t. 
SvSt tHS certificate data into second certificate 13. The apparatus of claim 11 wherein the certificate data 
drwLrel^ second certificate data includes at least parser includes a first certificate format ^^f^^^f^,^^^^^ 
one Ja dXent data structure and a different syntax sive to the certificate format template data and the first 
Tafleast^me data in the first certificate; and certificate data that generates data representmg certificate 

^L^X^^^^^^ among a plurality of signa- parser includes a template populator, operatively responsive 
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to the certificate type data and to single template data 
obtained based on the certificate type data, that populates the 
single template identified by the certificate type data using 
data from the first certificate. 

15. The apparatus of claim 11 wherein the certificate 5 
formatter includes a multi-format certificate mapper that 
maps a plurality of first certificate data to a different cer- 
tificate format or syntax based on mapping information and 
the desired certificate format criteria data. 

16. The apparatus of claim 15 wherein the multi-format lo 
certificate mapper also provides digital signature format data 
representing a format of a digital signature to be generated 

as part of the second certificate data. 

17. The apparatus of claim 15 wherein the mapping 
information is based on first certificate template data includ- 15 
ing first field data elements and associated first syntax 
definition data and second certificate template data including 
second field data elements and associated second syntax 
definition data. 

18. The apparatus of claim 17 wherein the first certificate 20 
template data and the second certificate template data each 
include different digital signature format data. 

19. The apparatus of claim 11 including a certificate 
validator operative to perform validation on the first certifi- 
cate data prior to commencing parsing by the parser. 25 

20. The apparatus of claim 15 including memory, opera- 
tive! y coupled to the certificate formatter and to the certifi- 
cate data parser, containing the mapping information and the 
certificate format template data. 

21. The apparatus of claim 10 wherein the certificate 30 
generator accesses one of a plurality of private signing keys 

in response to a selected signature format. 

22. A certificate issuing method comprising the steps of: 
receiving first certificate data in a first format, and desired 

certificate format criteria data; 

generating second certificate data in a second format in 
response to at least the certificate fonnat template data 
and the certificate mapping information; 

converting the first certificate data into second certificate 
data wherein the second certificate data includes al least 
one of a different data structure and a different syntax 
for at least some data in the first certificate; and 



selecting among a plurality of signature formats to facili- 
tate certificate conversion between the first certificate 
data and the second certificate data. 

23. The method of claim 22 including generates parsed 
certificate data for a certificate formatter based on the first 
certificate data and the certificate format template data. 

24. The method of claim 23 including generating data 
representing certificate type data based on the certificate 
format template data and the first certificate data. 

25. The method of claim 24 including populating the 
single template identified by the certificate type data using 
data from the first certificate based on the certificate type 
data. 

26. A certificate issuing method comprising the steps of: 
receiving first certificate data in a first format, and desired 

certificate format criteria data; 

generating second certificate data in a second format in 
response to at least the certificate format template data 
and the certificate mapping information; and 

mappmg a plurality of first certificate data to a different 
certificate format or syntax based on mapping infor- 
mation and the desired certificate format criteria data. 

27. The method of claim 26 including providing digital 
signature format data representing a format of a digital 
signature to be generated as part of the second certificate 
data. 

28. The method of claim 27 wherein the mapping infor- 
mation is based on first certificate template data including 
first field data elements and associated first syntax definition 
data and second certificate template data including second 
field data elements and associated second syntax definition 
data. . 

29. The method of claim 28 wherein the first certificate 
template data and the second certificate template data each 
include different digital signature format data. 

30. The method of claim 28 including performing vali- 
dation on the first certificate data prior to commencing 
parsing. 

31. The method of claim 28 including accessing one of a 
plurality of private signing keys in response to a selected 
signature formal. 
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